Mwell…my dear dear journal, today I had to learn about Mobility over SAE. As we very well know, our naughty user (User Equipment) does not just stay in one single cell, but rather moves around between different antennas. As per TS 23.401 (I have studied the June edition), there are several “cases” of mobility, or handover, as the 3GPP guys call them.

What is to know about how these “cases” are delimited:

1. whether the UE only moves from one eNodeB to another (the rest of the EPS is the same) or other components (like MME and/or SGW) are also changing => X2-handover and S1-handover

2. whether or not the eNodeBs are connected each-other (when they are connected, the interface is called X2) => this results in 2 separate cases: Direct Tunneling (we have X2) and Indirect Tunneling (we don’t have X2)

3. whether or not the MME changes (is relocated, as per the TS) => no MMErelocation and MME relocation scenarios

4. whether or not the SGW changes (is relocated, as per the TS) => no SGW relocation and SGW relocation scenarios

5. in each of these cases, what happens to the user-plane traffic in terms of the path it takes; the uplink usually goes directly through the new components of handover, but the downlink data is forwarded back and forth around those elements – in the diagrams attached I have represented the user-plane in dotted lines – hope you’d like it 😛

6. the user-plane flow problem appears only in the time interval that the handover is not completed, otherwise it is the usual; this is why there is only a downlink user-plane traffic described

* this is the case when there are some downlink packets that have been forwarded from the SGW to the source eNB, BEFORE the handover is completed; this means that the source eNB (knowing there is a handover ongoing), resends/sends back these packets to the SGW they came from; the SGW, at this point, should be aware of the handover and buffer the packets until the handover is completed, then forward them via the appropriate S1-U to the target eNB

At first, I thought I was too noob to understand this stuff. I still consider myself a noob, but the way these TSs are written sometimes really gets on my nerves.

Let’s just consider the case of the S1-based handover with MME relocation and SGW relocation and Indirect Tunneling – meaning there is no X2 link between the source and target eNBs. All I can do for the moment is to look at the S11 interface, because this is the one I have the opportunity to study at this point.

So, the 2 TSs involved in this case, at least at the high level are TS 23.401 – which describes the message flows between the SAE entities and TS 29.274 – which describes each message and its IEs.

The S1 based handover with MME/SGW relocation and Indirect Tunneling looks something like this:

In order to make this more human-readable, I have considered the following scenario:

where my UE (UE-1) moves from eNB 30.0.0.1 to eNB 30.0.0.5 (which have an X2 link together) – doing X2 handover (with no MME relocation), then it moves from eNB 30.0.0.5 to eNB 30.0.0.8 (which don’t have an X2 link between them). As you can see from the picture, these 2 eNBs belong to 2 different MMEs and SGWs. This means that, when the UE moves from eNB5 (30.0.0.5) to eNB8(30.0.0.8), it will generate an S1 handover signaling between the source MME – MME1 (30.0.1.1), source SGW – SGW1 (30.0.2.1), target MME – MME4 (30.0.1.4) and target SGW – SGW2 (30.0.2.2). As there is no X2 link between eNB5 and eNB5, the downlink packets coming from the PGW while the UE is in the handover process with reach eNB5, then they will be “reflected” back to SG1, which will then forward them via an “indirect” tunnel to SGW2, which will forward them to the new eNB8, which is in charge of my UE.

The flow is like this (3GPP copy-pasted 🙂 )

1) So, as this picture states, once the handover is decided, the source MME sends a Forward Relocation Request to the target MME. This message must at least contain the following mandatory IEs, as per TS 29.274:

– IMSI

– Sender’s F-TEID for Control Plane

– MME/SGSN UE EPS PDN Connections

– SGW S11/S4 IP Address and TEID for Control Plane

– MME/SGSN UE MM Context

2) Then the target MME sends a Create Session Request message to the target SGW, including (M == Mandatory):

– IMSI (M)

– RAT Type – here is E-UTRAN (M)

– Sender F-TEID for Control Plane – here it is the IP address of the source MME: 30.0.1.4 + it’s TEID/GRE Key (this “key” is actually a hexadecimal number on 2 bytes) (M)

– APN Name (M)

– Maximum APN Restriction (M)

– LBI – Linked EPS Bearer ID – indicates the default bearer of the connection – the ID of the default bearer, usually this has value 5 (C)

– PGW S5/S8 Address for Control Plane or PMIP – this is the IP address of the PGW: 20.0.0.1 (C)

3) the target SGW replies to the target MME with a Create Session Response message, containing:

– Cause (M)

– Sender F-TEID for Control Plane – this is the IP address of the target SGW: 30.0.2.2 (C)

– APN Restriction (M)

– Bearer Contexts created (M) – this means that all the bearers that have the OK to be created for the UE in question are going to be present here, in a separate group IE; the IEs within a Bearer Context have the following:

— EBI – EPS Bearer ID (M)

— Cause (M)

— S1-U SGW F-TEID – the IP address of the SGW used for user-plane and a TEID/GRE identifier on 2 bytes – this is usually the same identifier used for the initial traffic of this user, _before_ the handover, let’s just call it Key-A – which is the uplink identifier for the user (C)

— Bearer Level QoS – the new QoS parameters, if they have been changed (C)

** Let’s stop for a second a recap. What do I have at this point? I have an UE (UE-1 in the picture) with an IP address (let’s say: 40.0.0.91). It is attached to the eNB 30.0.0.5, having a default bearer in place with the MME 30.0.1.1 (source) and the SGW 30.0.2.1 (source). This default bearer has an uplink identifier TEID, called as above Key-A, which also has a downlink identifier TEID, called Key-1. Let’s say that what travels in uplink has a key made out of letters, and what travels in downlink has keys made out of numbers 🙂

Ooook, what’s next. Well, as my UE moves to eNB 30.0.0.8, AND there is no X2 link between eNB5 and eNB8, target MME creates an indirect tunnel for the packets. Once the UE has moved to eNB8, the uplink flows directly from this new eNB, to the new SGW and so on. So, the indirect path is for the downlink packets, more precisely, for THOSE downlink packets that have already been routed by the source SGW to the source eNB (eNB5). eNB5 cannot contact eNB8 directly, so it re-routes these packets back to the source SGW, which will also re-route them via this indirect tunnel to the target SGW – which has direct S1-U connectivity to the target eNB to deliver the packets to my dear UE 🙂

How does EPC do that?

4) Target MME (30.0.1.4) sends a Create Indirect Data Forwarding Tunnel Request message to the Target SGW (30.0.2.2), containing all the grouped IEs Bearer Contexts that are to be forwarded this way, this grouped IE being the only Mandatory IE in this message. This Bearer Context IE contains:

— EBI – EPS Bearer ID (M)

— S1-U eNodeB F-TEID for data forwarding – this is the IP address of the target eNB (30.0.0.8) and its associated TEID/GRE key, let’s call it Key -2. This key instructs the target SGW about the destination of the packets for my UE (C)

5) then the Target SGW (30.0.2.2) responds to this message with a Create Indirect Data Forwarding Tunnel Response message. This message has 2 Mandatory IEs: the Cause and the Bearer Contexts grouped IE. This Bearer Context IE has:

— EBI (M)

— Cause (M)

— S1-U SGW F-TEID for data forwarding – this is the IP address of the target SGW and its TEID/GRE identifier – Key-B

6) After this, the target MME sends a Forward Relocation Response message to the source MME, instructing it about the bearers that have been accepted for creation on this indirect path

7) Now, the source MME (30.0.1.1) sends a Create Indirect Data Forwarding Tunnel Request to the source SGW (30.0.2.1), with elements similar to the corresponding message above, except that in this case, the Bearer Context has the TEID/GRE identifiers of the target SGW, contained in the Create Indirect Data Forwarding Tunnel Response from above – Key-B – when source SGW will forward the packets to target SGW, this will be the GRE Identifier used for encapsulating those packets

8) The source SGW responds with a Create Indirect Data Forwarding Tunnel Response message, same as above, but the TEID/GRE ID is the one of the IP address of the source SGW. This ID shall be used for uplink data on the indirect tunnel from the source eNB to the source SGW. Let’s call this ID Key-3.

*** At this point, we have an indirect tunnel created between the following entities:

source eNB (30.0.0.5) -> source SGW (30.0.2.1) : TEID Key-3

source SGW (30.0.2.1) -> target SGW (30.0.2.2) : TEID Key-B

target SGW (30.0.2.2) -> target eNB (30.0.0.8) : TEID Key-2

At this point, the user traffic is like this:

1: packets already forwarded by the source SGW to the source eNB are “reflected” by this eNB – use the downlink GRE ID established initially, Key-1

2: the reflected packets from source eNB back to source SGW use the GRE negotiated via the messages above: Key-3

3: packets then travel on the tunnel from source to target SGW, via the TEID/GRE ID: Key-B

4: then the target SGW finally forwards the packets down to the target eNB via GRE ID: Key-2

*** During all this complicated process, the uplink is already using the target eNB as source for the encapsulating tunnel

So, what happens afterwards?

9) the target MME sends a Modify Bearer Request message to the target SGW, describing the newly created tunnels for downlink, not the indirect ones, the usual, direct ones and the target SGW replies with a Modify Bearer Response message in order to acknowledge (or state a cause for rejecting) this

10) the source MME deletes its session from its (source) SGW, using a Delete Session Request / Delete Session Response pair of messages, carefully indicating the SGW that this is only a “local detach” of the UE, not a complete detach, meaning that the UE just moved and the local information about it is no longer valid, NOT that the UE disappeared from the network and the resources are to be deleted !

EXCEPT Me, because there are a lot of misleading and confusing “explanations” in the specs regarding this type of scenarios, like for instance:

a) one spec (TS 23.401) states that the delete session procedure should have Cause and LBI IEs in the Create Session Request message, while TS 29.274 defines these 2 IEs as Conditional, and, as per the condition in place, none of them should appear in this message when the source MME disconnects from the source SGW. Instead, the SGW should look at the Indication Flags in this request: if the Operation Indication is set, then this is a full detach, if the Scope Indication is set, this is a local detach.

b) look at the above flags: shouldn’t it be better to have just 1 flag, and, if it is set, we have a full detach, otherwise we have a local detach?

c) what happens in the S1 handover with no SGW relocation (whether or not the MME is relocated) and Indirect Tunneling? How is that going? Do I still send the two pairs of Create Indirect Data Forwarding Tunnel Request/Response?

Let’s have a short (very short) talk about this DAF thinggie. DAF stands for Dual Address Bearer and it is a flag only set in the Create Session Request message, sent from the MME to the SGW, over the S11 interface. Details about this funky flag are in TS 23.401 (Section 5.3.2.1 E-UTRAN Initial Attach and Section 5.3.1 IP Address Allocation) and in TS 29.274 (Table 7.2.1-1 Information Elements in Create Session Request) and…might be in other TSs also, but I have no idea about those 😛

So, when and why we do use this flag? Mwell, TS 29.284 says the following:

DAF – Conditional : Dual Address Bearer Flag: This flag shall be set to 1 when the UE requests a PDN type IPv4v6 and all SGSNs which the UE may be handed over to support dual addressing. This shall be determined based on node pre-configuration by the operator.

So, this flag is an indication sent from the MME to the SGW, telling the SGW at the moment of the Initial Attach procedure: Hey! you know what? My mobile device supports dual-stack. You can assign it at once, on the same bearer, both an IPv4 and an IPv6.

Also, if the UE moves from a 3G coverage to a 4G coverage (the definition above says the other way around, but logic tells me that the MME actually sends a Create Session Request when it is a _target_ MME, therefore when the UE moves from a 3G to a 4G network), doing an MME relocation, SGW relocation handover procedure, our MME would says the following to its fellow SGW: Dear SGW, my mobile device has just arrived here from a 3G network, more specifically from an SGSN that supports dual addressing. So don’t worry that I am asking for both an IPv4 and IPv6 addresses for the same bearer for this UE.

Now, there are several rules when using or not this DAF. The general rule is to set it, which seems to be the default rule in the 4G network context.

The only case when, in a 4G context we do NOT set this flag is when the interface between the SGW and the PGW (the S5/S8 interface) runs PMIP, and not GTPv2 (as S11 does).

So, usually, in this most common case, the UE that supports dual-stack will ask for a single default bearer, having an IPv4v6 dual-stack type of address. If the MME is running in a full 4G environment or it is aware that all SGSNs to which the user may handover to also support dual-stack and the MME is aware that the S5/S8 interface runs GTPv2, then the MME will set the DAF flag and hopefully the PGW also supports dual-stack, our dear UE will get an IPv4v6 address, actually meaning that it will get 2 IP addresses (one IPv4 and one IPv6) for the same, single, default bearer to this APN.

But, even if the UE says it supports dual-stack, but the MME considers, for some reasons it has (it is aware of non-compatible SGSN, or it knows about S5/S8 running PMIP or whatever), not to set the DAF flag, then the UE’s type of address remains to be decided by the PGW….as it follows:

The PDN GW takes into account the received PDN type, the Dual Address Bearer Flag and the policies of operator when the PDN GW selects the PDN type to be used as follows. If the received PDN type is IPv4v6 and both IPv4 and IPv6 addressing is possible in the PDN but the Dual Address Bearer Flag is not set, or only single IP version addressing for this APN is possible in the PDN, the PDN GW selects a single IP version (either IPv4 or IPv6). If the received PDN type is IPv4 or IPv6, the PDN GW uses the received PDN type if it is supported in the PDN, otherwise an appropriate error cause will be returned. The PDN GW allocates a PDN Address according to the selected PDN type. If the PDN GW has selected a PDN type different from the received PDN Type, the PDN GW indicates together with the PDN type IE a reason cause to the UE why the PDN type has been modified.

What about the UE. What should it do after getting an IP?

After the Attach Accept message and once the UE has obtained a PDN Address, the UE can then send uplink packets towards the eNodeB which will then be tunnelled to the Serving GW and PDN GW. If the UE requested for a dual address PDN type (IPv4v6) to a given APN and was granted a single address PDN type (IPv4 or IPv6) by the network with a reason cause indicating that only single IP version per PDN connection is allowed sent together with the PDN type, the UE may request for the activation of a parallel PDN connection to the same APN with a single address PDN type (IPv4 or IPv6) other than the one already activated. If the UE receives no reason cause in step 18 in response to an IPv4v6 PDN type and it receives an IPv6 Interface Identifier apart from the IPv4 address or 0.0.0.0 in the PDN Address field, it considers that the request for a dual address PDN was successful. It can wait for the Router Advertisement from the network with the IPv6 prefix information or it may send Router Solicitation if necessary.

Now, the applications on the UE must know which type of socket to create. They can either create an IPv4 or an IPv6 socket and choose among the available IP addresses.

Sometime in the future posts I will describe in details everything. This is part of an article called An Analysis of Secure Interoperation of EPC and Mobile Equipments, submitted to a conference from IARIA.

This is a summary of what I hope to be able to describe in the next several posts: the establishment of a basic SIP-IMS call flow, in a somewhat interesting scenario: when both Alice and Bob are in roaming.

Each of the participants talks to his/her own P, S and I servers. Here the presumption is that Alice is the one making the phone call.

“c1” because…mwell, because “a” was the register and 4G/IMS architecture, “b” was the OpenIMSCore and “c” should be an actual call flow.

Unfortunately, I cannot show you the actual 4G encapsulation, because I don’t have any tool to emulate that, but, as we’ve understood from the registration flow, each IMS message coming from or going to the IMS mobile device will be encapsulated in GTPv1-u header between the eNodeB, SGW, PGW and then forwarded, without the GTPv1-u encapsulation, to the P-CSCF. Juuust as for the Register flow…

Oook, now let’s take a look at the IMS-SIP call flow. Basically, what I’m going to show here is a Basic Callwith Voice.

Now, the most basic SIP (Session Initiation Protocol) call flow has the following structure:

Basically, Alice sends an INVITE message to Bob (via a sip proxy server or directly), inviting Bob to a voip message exchange, and also sending in the SDP (Session Description Protocol) header (presented as a SIP message body), the RTP (Real-Time Protocol) codecs that Alice’s phone is supporting. 1xx is provisional messaging. 100 Trying and 180 Ringing is a good sign, they mean I am actually contacting Bob, I am just waiting for him to pick-up the phone. When he does that, his device signals a 200 OK (sending in this message also the RTP codecs known by Bob’s device), and Alice’s device Acknowledges. Now the RTP session can begin, with one of the matching codecs. Once the two guys finish talking, Alice’s phone (usually) is the one signaling the end of the conversation, by sending a BYE message to Bob, and this one acknowledges. Alice can also send her supported RTP codecs barely in her ACK message, procedure called late negotiation.

Now, this may rightfully seem simple enough, but wait! We haven’t yet got to the IMS part 🙂

The same “basic” SIP call flow in the IMS context would look like this (of course, excluding the 4G encapsulation which we’ve agreed we understand):

In the next chapter I’ll detail these messages.

For the moment, let’s just observe the presence of a weird new message called PRACK. The PRACK is defined in RFC3262: Reliability of Provisional Responses in the Session Initiation Protocol (SIP). The RFC 3262 states:

The PRACK request plays the same role as ACK, but for
provisional responses. There is an important difference, however.
PRACK is a normal SIP message, like BYE. As such, its own
reliability is ensured hop-by-hop through each stateful proxy. Also
like BYE, but unlike ACK, PRACK has its own response. If this were
not the case, the PRACK message could not traverse proxy servers
compliant to RFC 2543 [4]."

WONDERFUL tool. Kindda weird to configure at first, but, once you have clear in mind what you want to do, it seems really intuitive.

I have it on a debian 5.0.5. Installed in /opt/OpenIMSCore

It has 4 main components:

P-CSCF, I-CSCF, S-CSCF and HSS – and, as far as I have understood from my knowledgeable colleagues who have done this, these components can be installed separately on different machine. I have installed them bulky on a single machine.

Ah, and it needs a DB server (HSS being a DB afterall) – I have used MySQL and a DNS server – I have used bind9, on the same machine. The Fraunhofers are nice guys and give you the DNS file zone and a lot of scripts to make your work of configuring the proxies, as well as adding and managing users, much easier.

So, briefly, where are the configuration files, what I have changed in each of them to make them work, which scripts I have used and what users I have (the IMS dumps from the previous post shows a user called Cristina who registers to this IMS core and does a SIP call – we’ll see that also).

I guess it would be nice and mostly USEFUL, to read the OpenIMSCore install howto (don’t worry, is not long) BEFORE continuing – at least if you want to apply the following information as a “howto”. If you are reading just as a lecture, you may just continue.

And we are firstly interested in the configuration files of the proxies and the database. They are already created at installation time, and I have copied them (as per the installation howto), directly under /opt/OpenIMSCore.

They are:

/opt/OpenIMSCore/pcscf.cfg

/opt/OpenIMSCore/icscf.cfg

/opt/OpenIMSCore/scscf.cfg

/opt/OpenIMSCore/FHoSS/deploy/DiameterPeerHSS.xml

The pcscf.cfg is the config for the P-CSCF – big surprise, heh?

The only change I made here was the IP address the P-CSCF uses for opening the socket:

listen=22.22.22.22

port=4060

alias=”pcscf.open-ims.test”:4060

This file has the directives for the modules to be loaded by the pcscf daemon and also the main routing logic. This routing logic part is a set of decisional actions based on the values of different headers from the SIP messages, like the Method type or the length of the message, or the value of max_forwards header or whether or not this is the initiator of a dialog and so on…

The pcscf.xml is another configuration file, containing declarations of the DiameterPeer, FQDN, Default Route, Realms and Authentication Identifiers. The only changes I’ve done in this file where related to the port where the P-CSCF listens for the Diameter communication:

<Acceptor port=”3867″ bind=”22.22.22.22″/>

This is specially useful if you have the HSS on a different machine (which is the real use-case).

And there is also the pcscf.sh, which is a basic start/stop script.

Now, the example with the pcscf config above is basically the same for the icscf and scscf.

The /opt/OpenIMSCore/FHoSS/deploy/DiameterPeerHSS.xml file contains some similar configuration for the HSS, where the only change was the Acceptor IP and port.

Oh, and one more thing, in order to be able to actually start the HSS you need to have the JAVA_HOME variable set.

Mine is JAVA_HOME=/usr/lib/jvm/java-6-sun.

Then I’ve started the HSS like this:

# cd /opt/OpenIMSCore/FHoSS/deploy

# ./startup.sh

By default, everything starts in debug mode, so I have 4 screens where I start the P, S, I and HSS, and then another one to play with.

It looks like this:

— At this is the no-TLS way to configure it: not much to configure, actually.

First of all, bare in mind that this is NOT the actual end-to-end testing procedure, so I can only show so far a basic IMS call coming from plain IP, therefore with no indication to the Access Network:

Register

The P-CSCF listens on port 4060 UDP (as we will see in the next episode, the configuration of the IMS Core), and the phone is on 5060:

Knowing it is not very nice to talk a lot about a certain thing, but to offer no tangible results, I’ve tried to create some minimal dump information for the things discussed lately on my posts.

They should be, though not end-to-end results, at least some hope-by-hope information.

So, let’s see first how an Initial Attach to the 4G network would look like, then how the UE asks for a dedicated bearer to put traffic on (specifically to put VoIP traffic on), and then take a closer look at a IMS call flow.

For the 4G dumps I must give credit to the wonderful company I work in, which helps me develop on the 4G core network side. While the IMS flows are generated using OpenIMSCore and Monster, the 2 solutions from the cool guys from Fraunhofer.

This is the REGISTER message that the UA composes AFTER receiving the 401 Unauthorized. The UA retrieves the authentication information from the UE, which, in the case of 3GPP phones, is stored in the UICC – Universal Integrated Circuit Card. The new Register message looks like this:

The only difference between them is the Via header, due to the SIP message passing through the

servers.

Now, when this Register message reaches the P-CSCF, this device will do a new DNS query for the I-CSCF IP address. This is usual, as there are usually multiple I-CSCF servers in a network and there is no rule that once an I-CSCF responds to the first UA query this same I-CSCF must also respond to the subsequent queries. This rule dose NOT apply though for the S-CSCF server -which, as we’ve seen in the previous posts, is allocated per UA. So, the P-CSCF gets a (new) IP address of an I-CSCF and forwards there this message.

30. Diameter UAR

At this point, the I-CSCF gets the Register message above. As the I-CSCF has no state of the UA status on the home network, and it also does not know if the HSS already assigned an S-CSCF to the UA or not, the I-CSCF has to contact the HSS again, via the Cx interface, get the address of the S-CSCF allocated for this UA and forward this Register to the right S-CSCF.

This is the step where the Register message is transmitted from the I-CSCF to the S-CSCF. The S-CSCF is the one allocated by the HSS in the previous Register flow (answered with 401 Unauthorized) and now the HSS sends the URI of this allocated S-CSCF to the I-CSCF in the Diameter UAA message from Step 31 above.

33. Diameter SAR

When the S-CSCF receives the Register message with credentials from the UA, it authenticates this UA versus the AV – Authentication Vector is received from the HSS in the previous Step 24. Diameter MAA message. After this, the UA is considered authenticated, so now the S-CSCF should have also its profile (stored in the HSS), in order to know which services are available for it. In order to get this profile and also so let the HSS know that the UA is now registered, the S-CSCF sends the Cx-Put or Diameter SAR – Server-Assignment-Request message to the HSS, via the Cx interface.

According to RFC 4740 – section 8.3, the Diameter SAR message should look like this:

This is the reply sent by the HSS to the S-CSCF, Cx-Put response or Diameter SAA – Server-Assignment-Answer, which contains the user profile. This user profile contains all the Public User Identities of this UA, identities that are associated to the Private User Identity, and also all the public identities that are to be automatically (or implicitly) registered in the S-CSCF.

The user profile also has a set of initial filter criteria – a set of rules which determine when a SIP request is forwarded to an Application Server for a certain service request. The Contact URI of the UA that the S-CSCF store in the HSS it the actual value of the Contact header from the Register message. The S-CSCF also stores the values from the Path header in order to know where to route the SIP initial requests for that UA to.

Then the S-CSCF responds to the Register message by sending a 200 OK message. This message contains also a P-Associated-URIlist – list of the Associated URIs where this UA can be located, according to the S-CSCF – this list is not necessarily the same as the list of implicitly registered public user identities.

The S-CSCF also inserts a Service-Route header, which contains its own URI with a string in the user part, in order to differentiate mobile originated requests from mobile terminating requests.

36. 200 OK

37. 200 OK

These messages are basically the same, except the Via header. When it reaches the UE, the 200 OK message looks like this: